Description
The Banhammer – Monitor Site Traffic, Block Bad Users and Bots plugin for WordPress is vulnerable to Blocking Bypass in all versions up to, and including, 3.4.8. This is due to a site-wide “secret key” being deterministically generated from a constant character set using md5() and base64_encode() and then stored in the `banhammer_secret_key` option. This makes it possible for unauthenticated attackers to bypass the plugin’s logging and blocking by appending a GET parameter named `banhammer-process_{SECRET}` where `{SECRET}` is the predictable value, thereby causing Banhammer to abort its protections for that request.
Published: 2025-09-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized bypass of Banhammer protection
Action: Apply Patch
AI Analysis

Impact

The Banhammer plugin stores a site‑wide secret key that is deterministically derived from a constant character set using md5() and base64_encode(). Because the key is predictable, unauthenticated users can append a GET parameter named banhammer-process_{SECRET} to any URL to cause Banhammer to abort its logging and blocking for that request. This allows attackers to avoid being logged or blocked by the plugin, effectively disabling its protection controls. The weakness is identified as CWE‑330, a use of insufficiently random values.

Affected Systems

WordPress sites running the Banhammer – Monitor Site Traffic, Block Bad Users and Bots plugin from specialk, versions 3.4.8 and earlier.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score is under 1%, suggesting a low but non‑zero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely without authentication by crafting a GET request that contains the predictable secret key; no elevated privileges or compromise of the WordPress core is required.

Generated by OpenCVE AI on April 22, 2026 at 13:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Banhammer plugin to the latest available version, which removes reliance on a deterministic secret key.
  • If an update is unavailable, temporarily disable the Banhammer plugin or remove it from the site to prevent the bypass.
  • Verify that site access is protected by additional security measures such as a Web‑Application Firewall or rate‑limiting to mitigate potential abuse of the bypass.

Generated by OpenCVE AI on April 22, 2026 at 13:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31209 The Banhammer – Monitor Site Traffic, Block Bad Users and Bots plugin for WordPress is vulnerable to Blocking Bypass in all versions up to, and including, 3.4.8. This is due to a site-wide “secret key” being deterministically generated from a constant character set using md5() and base64_encode() and then stored in the `banhammer_secret_key` option. This makes it possible for unauthenticated attackers to bypass the plugin’s logging and blocking by appending a GET parameter named `banhammer-process_{SECRET}` where `{SECRET}` is the predictable value, thereby causing Banhammer to abort its protections for that request.
History

Fri, 26 Sep 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Sep 2025 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 26 Sep 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Banhammer – Monitor Site Traffic, Block Bad Users and Bots plugin for WordPress is vulnerable to Blocking Bypass in all versions up to, and including, 3.4.8. This is due to a site-wide “secret key” being deterministically generated from a constant character set using md5() and base64_encode() and then stored in the `banhammer_secret_key` option. This makes it possible for unauthenticated attackers to bypass the plugin’s logging and blocking by appending a GET parameter named `banhammer-process_{SECRET}` where `{SECRET}` is the predictable value, thereby causing Banhammer to abort its protections for that request.
Title Banhammer – Monitor Site Traffic, Block Bad Users and Bots <= 3.4.8 - Unauthenticated Protection Mechanism Bypass
Weaknesses CWE-330
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:10:32.674Z

Reserved: 2025-09-19T19:27:00.940Z

Link: CVE-2025-10745

cve-icon Vulnrichment

Updated: 2025-09-26T19:32:20.289Z

cve-icon NVD

Status : Deferred

Published: 2025-09-26T04:15:55.837

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10745

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:30:17Z

Weaknesses